Skip to main content

Getting Started
ENTERPRISE

Styra's Declarative Authorization Service (DAS) works with Kubernetes APIs to provide desired-state security. Styra allows you to define policy before runtime, allowing teams to define, enforce, and validate security with no black-boxes, additional servers, or complex configuration. Using Styra DAS, on-premises customers can install and configure Styra DAS On-premises on different environments.

Requirements

The following requirements must be met in order to install Styra DAS On-premises on a variety of Kubernetes environments:

Storage Guidelines

  • To estimate the storage requirements, the system is tested with five Kubernetes clusters running the Styra OPA agents and it generates approximately 800 decisions every second.

  • To run the minimum number of Styra OPA agents, 128GB of storage was utilized to store 14 days of decisions.

important

Styra recommends you to use the storage allocated to Postgres between the range of 250GB and 500GB.

Sizing Elasticsearch

DAS uses Elasticsearch to maintain a search index of policy decisions uploaded by OPA. The sizing of the Elasticsearch installation is therefore a problem of determining the volume of decisions OPA instances upload, in average.

The approximate formula to estimate the total available disk space required to maintain the index:

# of days indexed * # of decisions per day * average size of single decision * overhead factor

By default, DAS maintains the index for 3 days, but since the cleaning takes place once a day, transiently DAS may store decisions for one extra day. # of decisions per day is largely dependent on the OPAs connected to DAS, as is the average size of a single decision JSON document. Overhead factor is due to the replication and indexing overhead of Elasticsearch itself. Styra recommends an overhead multiplier of 5 for extra safety.

For example, assume the following:

  • The default of 3 days of log retention is used. That means transiently DAS will maintain 4 days worth of decisions.

  • OPAs connected produce 100 decisions (in total) per second, for example, 8.64 million per day.

  • Each decision JSON document uploaded by OPA takes 2048 bytes in average.

  • Overhead factor of 5.

Therefore, in this example, the total space required to maintain the indices is approximately: 4 * 8640000 * 2048 * 5 = 330GB.

Namespace

Styra DAS On-premises can be installed in any namespace, and the installation instructions do not make any assumption about namespace.

Computing and Networking

The following shows the computing and networking requirements:

  • Kubernetes 1.11 or later.

  • Six vCPUs.

  • 32 GB memory.

  • Access to a Container Registry.

  • (Optional) Access to an SMTP server.

  • A Load Balancer or Ingress to expose the Styra DAS endpoint.

  • Recommended: A TLS certificate for the Load Balancer or Ingress to configure HTTPS.